FIX Do now allow arbitary class creation in CMS

code/controllers/CMSMain.php

@@ -871,7 +871,16 @@ class CMSMain extends LeftAndMain implements CurrentPageIdentifier, PermissionPr
 	 * @uses LeftAndMainExtension->augmentNewSiteTreeItem()
 	 */
 	public function getNewItem($id, $setID = true) {
+		$parentClass = $this->stat('tree_class');
 		list($dummy, $className, $parentID, $suffix) = array_pad(explode('-',$id),4,null);
+
+		if(!is_subclass_of($className, $parentClass) && strcasecmp($className, $parentClass) != 0) {
+			$response = Security::permissionFailure($this);
+			if (!$response) {
+				$response = $this->response;
+			}
+			throw new SS_HTTPResponse_Exception($response);
+		}
 		
 		$newItem = new $className();
 

tests/controller/CMSMainTest.php

@@ -328,6 +328,27 @@ class CMSMainTest extends FunctionalTest {
 
 		$this->session()->inst_set('loggedInAs', null);
 	}
+
+	public function testGetNewItem() {
+		$controller = new CMSMain();
+		$id = 'new-Page-0';
+
+		// Test success
+		$page = $controller->getNewItem($id, false);
+
+		$this->assertEquals($page->Title, 'New Page');
+		$this->assertNotEquals($page->Sort, 0);
+		$this->assertInstanceOf('Page', $page);
+
+		// Test failure
+		try {
+			$id = 'new-Member-0';
+			$member = $controller->getNewItem($id, false);
+			$this->fail('Should not be able to create a Member object');
+		} catch(SS_HTTPResponse_Exception $e) {
+			$this->assertEquals($controller->getResponse()->getStatusCode(), 302);
+		}
+	}
 }
 
 class CMSMainTest_ClassA extends Page implements TestOnly {
@@ -344,4 +365,4 @@ class CMSMainTest_NotRoot extends Page implements TestOnly {
 
 class CMSMainTest_HiddenClass extends Page implements TestOnly, HiddenClass {
 	
-}
+}